991207 - Security: ocsp connections appear to be made unencrypted on port 80

Status: RESOLVED DUPLICATE of bug 92923

(Core :: Security: PSM, defect)

Description

[Douglas Held]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140314220517

Steps to reproduce:

Install Firefox on OS X
Install Little Snitch
Reboot
Start Firefox

Expected results:
As many built-in connections as possible are made encrypted channel(s)
As many security critical functions are made over encrypted channel(s)

Actual results:
I notice Firefox tries to make a connection to ocsp.godaddy.com on port 80
I notice Firefox tries to make a connection to ocsp.digicert.com on port 80
Upon browsing a page encrypted with an EV certificate chain, I notice Firefox tries to make a connection with evsecure-ocsp.geotrust.com on port 80.

Proposed Change:
Change all of these service endpoints to HTTPS connections

Comment 1

[Douglas Held]

Note that users install Firefox on laptops and travel to hotels, etc. where the first few minutes of web browsing are not secure or correct; where replies to all web requests may conceivably be fake replies from Wifi walled-gardens or whatnot.  Any such encrypted connection attempt results in an obvious failure; but any unencrypted connection is subject to false information being returned by the walled garden or indeed any other Man-in-the-middle at any time.

Such a maliciously returned result will presumably be implicitly trusted by Firefox, and:
 - legitimate certificates may be revoked by a false reply to ocsp query;
 - truly dangerous certificates may be omitted from the revocation list; and then used to further the attack on the user
 - other possible outcomes from a lack of guaranteed trustworthy ocsp reply.